Overclassification stifles the cybersecurity conversation

Thanks to all of you who have sent your comments about Tate Watkins and my new cybersecurity paper. It’s been getting a good reception.

James Fallows of *The Atlantic*, for example, [noted yesterday](http://www.theatlantic.com/technology/archive/2011/04/two-fascinating-exhibits-on-data-security/237891/) that the paper “represents a significant libertarian-right voice of concern about this latest expansion of the permanent national-security surveillance state,” and that while we can’t underestimate cyber risks, “the emphasis on proportionate response, and the need to guard other values, comes at the right time. We should debate these threats rather than continuing to cower.”

Today I wanted to bend your ears (or eyes, I guess) with another excerpt. The subject today is the “if you only knew what we know,” rationale for government action. I’m happy to see that Sen. Sheldon Whitehouse has [a new bill](http://www.fas.org/blog/secrecy/2011/04/cyber_secrecy.html) getting right at the problem of over-classification that allows leaders to get away with “just trust us” rhetoric. Check out the excerpt is after the jump.
One of the most widely cited arguments for increased federal involvement in cybersecurity can be found in the report of the Commission on Cybersecurity for the 44th Presidency, [which I’ve discussed here before](http://techliberation.com/2010/10/20/what-is-the-evidence-for-cybersecurity-regulation/).

The report makes assertions about the nature of the threat, such as, “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009. It is . . . a battle fought mainly in the shadows. It is a battle we are losing.” Unfortunately, the report provides little evidence to support such assertions. There is a brief recitation of various instances of cyber-espionage conducted against government computer systems. However, it does not put these cases in context, nor does it explain how these particular breaches demonstrate a national security crisis, or that “we are losing.”

The report also notes that Department of Defense computers are “probed hundreds of thousands of times each day.” This is a fact that proponents of increased federal involvement in cybersecurity often cite as evidence for a looming threat. However, probing and scanning networks are the digital equivalent of trying doorknobs to see if they are unlocked—a maneuver available to even the most unsophisticated would-be hackers. The number of times a computer network is probed is not evidence of an attack or a breach, or a even of a problem.

Nevertheless, the Commission report and the cybersecurity bills it has inspired prescribe regulation of the Internet. The report asserts plainly: “It is undeniable that an appropriate level of cybersecurity cannot be achieved without regulation, as market forces alone will never provide the level of security necessary to achieve national security objectives.” But without any verifiable evidence of a threat, how is one to know what exactly is the “appropriate level of cybersecurity” and whether market forces are providing it? How is one to judge whether the recommendations that make up the bulk of the Commission’s report are necessary or appropriate?

Although never clearly stated, the implication seems to be that the report’s authors are working from classified sources, which might explain the dearth of verifiable evidence. To its credit, the Commission laments what it considers the “[overclassification](http://techliberation.com/2011/03/15/hayden-less-secrecy-for-a-public-conversation-on-cybersecurity/)” of information related to cybersecurity. But this should not serve as an excuse. If our past experience with threat inflation teaches us anything, it is that we cannot accept the word of government officials with access to classified information as the sole source of evidence for the existence or scope of a threat. The watchword is “trust but verify.” Until those who seek regulation can produce clear reviewable evidence of a threat, we should discount assertions such as “The evidence is both compelling and overwhelming,” and, “This is a strategic issue on par with weapons of mass destruction and global jihad.”

Jerry Brito / Jerry is a senior research fellow at the Mercatus Center at George Mason University, and director of its Technology Policy Program. He also serves as adjunct professor of law at GMU. His web site is jerrybrito.com.